Ever since organizations were forced to convert their networks to support a large remote workforce, considerable attention has been focused on the security — or lack thereof –of routers, DVRs and other internet-connected devices workers have installed in their home networks. In the first half of 2020, FortiGuard Labs threat researchers saw plenty of evidence to suggest that cybercriminals were targeting the poorly secured devices and networks of remote workers to establish back door access to corporate networks.
Though cybercriminals have been focusing toward compromising end user devices through malicious email and web campaigns by exploiting fears about COVID-19, there has also been sustained attacker interest in exploiting old and new vulnerabilities in consumer-based IoT products. For example, exploit attempts against several consumer-grade routers and IoT devices were at the top of the list for IPS detections through the first six months of 2020.
However, IPS detections are only part of the attack landscape equation. Just because an IPS device has been triggered doesn’t necessarily mean that a device has been compromised or a breach has taken place. The detection of botnet activity is a much more accurate assessment of network compromise.
Once infected, IoT devices often communicate with remote hosts, and that traffic can be gathered and correlated to provide a better picture of exactly what is going on inside the perimeter of networks. And the information gathered from the assessment of botnet traffic should deeply concern IT teams.
Understand the current threat landscape
In terms of botnet activity, Mirai and Gh0st were the most prevalent botnets being detected. Mirai was first launched in 2016 and Gh0st was first discovered two years prior in 2014. Botnets tend to have a longer lifespan than most malware; Mirai has been in and out of the top 10 ever since it was launched. However, the fact that these botnets moved to the top of the list and have remained there for months indicates that attackers have been successfully targeting older devices that haven’t been patched or otherwise protected.
One concern in today’s pandemic-driven threat landscape is that attackers are looking to exploit the security of in-home systems to gain a foothold on enterprise networks. Cybercriminals accomplish this by either compromising the devices that work-from-home employees are using to connect to the enterprise network, or by targeting devices on the home network that can coattail on those connections. By exploiting these devices, criminals are able to quickly assemble massive botnets that can then be used to launch distributed denial-of-service attacks or distribute malware.
Once in place, a botnet is notoriously difficult to root out. Every time botnet data is examined, the primary lesson it imparts is that pervasive and persistent control is a prized commodity among cybercriminals.
Mirai and Gh0st continue to dominate
For the first half of 2020, Mirai was the world’s most dominant botnet. It was detected in 90% of all organizations registering botnet activity in May and June. Driven by a growing interest of attackers looking to target older vulnerabilities in consumer IoT products, Mirai took the top spot in early May during the height of the transition to working from home.
Gh0st was right on the heels of Mirai in the first four months of 2020. The variant Gh0st.rat was observed in 70% of organizations where botnet activity was detected. Attackers also used Gh0st for campaigns targeting work-from-home users and applications. Of special concern is the fact that Gh0st is a remote access botnet, which allows an attacker to take full control of an infected system, such as logging keystrokes, hijacking live webcam and microphone feeds, downloading and uploading files, and performing other nefarious activities.
Botnet activity varies by region
When comparing global regions and botnet detections, the prevalence of Mirai and Gh0st is ubiquitous. But even so, their activity isn’t uniform across the globe. For example, the proportions of organizations that detected traffic related to a Mirai variant was more than 20% higher in Europe than in Asia. However, Europe landed in third place for Gh0st activity. North America and Oceania were the places with the highest Gh0st activity.
Analysis of the remaining top twenty botnets reveals some even stronger regional differences:
- The Pushdo and Zeroaccess botnets were found in between 15% and 20% of all organizations around the world. North America owns the dubious distinction of being the most prevalent source for Pushdo activity, followed closely by Europe.
- The Sality and Gozi botnets were at least three times more prevalent in Africa, Asia and the Middle East than anywhere else in the world.
- FinFisher and Zeus were particularly active in Asia. Finfisher was detected in up to eight times more organizations in Asia than anywhere else.
- Emotet.Cridex was the only botnet we saw where Latin America led in detections.
Multiple factors account for such differences, including targeting, infrastructure, technology adoption, security configurations and user behavior. The point is, organizations that don’t consider regional variations may not be effectively defending themselves against the attacks most likely to be targeting them.
Staying on your cybersecurity toes
Threat vectors can change on a dime as agile and sophisticated criminals stand ready to take advantage of any opportunity. Defenders increasingly contend with not only more vulnerabilities across their networks, but more vulnerabilities that are actively being exploited in the wild. And these changes multiply when network transformation occurs, whether due to responding to a global pandemic or the normal course of digital innovation.
What’s clear is that patching and updating — or at a minimum — proximity controls have never been more important. But to be truly effective, organizations must also have access to the latest threat intelligence to be forewarned and fore-armed. Security solutions must be integrated with best-of-breed threat protection for corporate IT environments that extend from the data center, the clouds, the network perimeter and the home network. All bases must be covered in this unprecedented season of cyber risk.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.